Organizations should disband their security team: Jeffrey Wheatman

Managing digitalbusinessrisk is like the game of Whack-a-mole. Security risks pop up in one hole and once you’ve solved that, it pops up somewhere else. So how should organizations build an adaptive and resilient digital security practice to address the dynamic demands of a digital business? Jeffrey Wheatman, Research Director, Gartner spoke to ETCIO.COM on how organizations should build effective security strategy to combat digital security risks.

As enterprises move towards the digital ecosystem, they lose a lot of control over the infrastructure, applications, storage, and systems? Convention holds that increasing risk equates to increasing dedicated security teams. How should the enterprises, then beef us their IT security teams, especially in these times when security skills are in short supply?

In the digital ecosystem, enterprises are exposed to more risks. So it sounds logical that they need to grow their security teams to combat the increasing security threats. But is it actually helpful? We have learnt from experienced CEOs, CFOs, COOs and board members that bigger security teams result in greater complexity and difficulty in getting things done.Business says it wants to move faster and they say that all security does is to slow them down. Security teams are often viewed as an inhibitor to innovation. They take IT assurance role too seriously. This inhibits innovation and alienates the business.

In order to be more effective in managing security risks, we need lean teams. We need to push risk management and security to the business rather than into IT.

Business lives, thrives and derives value from the information and data. These business critical assets need to be guarded against potential security risks. So it’s only pragmatic to push the protection of the data and information closer to the business stakeholders.

Business, risk and security leaders must consider the benefits of devolving security teams into the rest of the enterprise.

So, you think small IT teams are more effective.

Having big security teams doesn’t really facilitate business. The bigger the teams get the more layers of management we need to add. The more abstract it becomes the harder it becomes to understand what’s going on the ground.

In fact, the business has come to trust them less. They rely more on third party providers and external service providers.They buy passwords more. They trust the cloud platform for all their business requirements. Now your business peers can drop a credit card and buy a service. They don’t need to talk to IT

We are seeing adding a lot of complexity because of The shift to digital business is resulting in the creation of new roles like Chief Digital Officer, Chief Risk Officer, and Chief Data Officer. We are seeing organizations that have both CSOs and CISOs. And they are being elevated to be the peers of CIOs instead of direct reports. And in the middle, we have the Chief Digital Security Officer.

This leads to a lot of complexity. All these new roles are involved in security in some way or the other. When something is everyone’s responsibility, nobody does it effectively and efficiently.

Maybe we can take all the functions that security does or most of them and guide the business stakeholders to do it on their behalf.

In a traditional cyber security department we have the centralized information security team that does risk management, creates policy, strategy, and frameworks. They manage business continuity and enterprise resilience, define architectures and run awareness programs.

So how should enterprises transform their security teams to deal with digital business risk?

Organizations should establish the principle of owner accountability. They should drive as much security budget and ownership to projects and lines of business.

They should find out the things security does not as a department but as a functional domain and figure out how they can be efficiently tackled by being more embedded in the business. In order to be truly effective, information security and risk must be fully integrated into the fabric of the enterprise.

The security team was not created to protect the enterprise from all threats and security risks. It was created to solve a business problem. In many cases, security leaders and their teams have become abstracted from that business problem.

The business doesn’t want to talk to them because they say ‘no ‘all the time. And the security leaders say no all the time because they don’t really understand what business is trying to accomplish. And this is because business doesn’t involve them in the strategy building process. So it becomes a self- perpetuating cycle. We also know that the more entrenched and embedded security is, the harder it is to free up the budget.

By 2020, security programs that are sponsored by IT will suffer significant security breaches, three times more than those sponsored by other digital stakeholders.

This is purely because security is not embedded in the business. I talk to C- level executives and board members regularly and they say that security officers ask them for more money, tools, and resources but they don’t really understand what business gets for that investment. So security leaders are not able to communicate effectively with their executive peers. They struggle to justify security investments and prove their RoI.

Organizations should identify functions or capabilities that can be devolved elsewhere in the business or IT. Activities like vendor risk management can be moved into the overall IT risk management function. Awareness programs can easily be run by a group that knows how to communicate well and run training programs. The PR or corporate communications department can take the onus of user awareness programs.

Security can try to shift to a digital architecture so applications and projects can be handled by the PMO. Identity and access management should be managed by application administrators.

There is still going to be a security function but they will provide governance, guidance, and strategic oversight. They will give business a framework and let them take owner accountability.

The advantage of this approach is that it reduces bureaucracy and gives business a free hand. Aside from the fact that it will help security shed a lot of complexity, it will help you groom your next generation of security and risk managers because then they will come to the role with business knowledge that right now most of them don’t have.

This Website Uses Cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services. Give your consent to our cookies for: